Back to overview

CVE-2026-13768

CRITICAL
10.0
CVSS 3.1
Description
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary commands on a specific connected device and may allow the malicious user to pivot to other devices on the user's network.

Metadata

CVE ID
CVE-2026-13768
State
PUBLISHED
Assigner
icscert
Reserved
2026-06-29 20:16 UTC
Published
2026-07-02 23:40 UTC
Last updated
2026-07-02 23:40 UTC
Primary CWE
CWE-798
CWE-798
Vendor / Product
Gardyn / Gardyn Home Firmware
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Affected products (3)
VendorProductPlatformVersions
Gardyn Gardyn Cloud API 0 < 2.12.2026
Gardyn Gardyn Home Firmware 0 < master.627
Gardyn Gardyn Studio Firmware 0 < master.627
Weakness (CWE)
CWESourceDescription
CWE-798 cna CWE-798
CVSS scores (2)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
9.5 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Back to overview